Built to protect what matters.

Production database: Supabase Pro, EU-hosted (eu-west-1, Ireland). Your data at rest never leaves the EU. Supabase provides a Data Processing Agreement (DPA) and is GDPR-compliant by design.

Application servers: AWS EC2 (eu-west-1, Ireland). The web application runs in the same EU region as the database. Dev and production use separate environments and separate Supabase projects — dev data never reaches the production database.

We are planning to migrate application serving to Vercel edge infrastructure before the first paying customer onboards. When that changes, this page will be updated with the new region configuration.

Encryption at rest: AES-256. All data stored in the Supabase database is encrypted at rest using AES-256 — the same standard used by financial institutions and healthcare systems.

Encryption in transit: TLS. All traffic between your browser and BABA is encrypted in transit via TLS. No data moves over plain HTTP.

Org-scoped isolation at the database layer. Every table is protected by Row-Level Security (RLS) policies enforced directly in PostgreSQL — not just in application code. A user in one organization cannot read or write data from another organization, even if application-layer logic were bypassed.

Role-based access within your organization. Owners see everything. Admins see their department scope. Staff members see their own records. These permissions are enforced at both the application layer and the database policy level.

BABA staff access. We do not browse customer data routinely. BABA staff can only access your data when you explicitly share a conversation with us (e.g., for a support request), or when required by law.

GDPR — live. BABA operates under GDPR requirements today. Data is EU-hosted, a DPA is in place with Supabase, and data subject requests (access, deletion, export, correction) are processed within 30 days. See our Privacy Policy and Data Transparency page for the full picture.

HIPAA — Track 2 roadmap. The current product (Track 1) does not store Protected Health Information (PHI). A dedicated healthcare tier (Track 2) is in development, targeting Q4 2026. That tier will use a HIPAA-eligible infrastructure configuration on AWS, and a Business Associate Agreement (BAA) will be available before any PHI flows through BABA integrations.

SOC 2 — pre-audit. A SOC 2 Type II audit is on the compliance roadmap for post-launch. We are actively building toward the control requirements — access controls, logging, incident response — but we have not yet completed an audit. We will not claim SOC 2 certification until we have one.

We do not train AI models on your business data. Your conversations with the BABA AI Guide are used to generate responses in your session. They are not used to retrain or fine-tune any AI model — ours or anyone else's.

What we send to Anthropic.AI responses are generated via Anthropic's API. We send only the content of what you type into the BABA AI — not your name, email, or other identifiable personal data. Anthropic's data handling is governed by Anthropic's Privacy Policy.

We do not sell your data. Ever. To anyone. Not to data brokers, advertisers, or investors. Investor updates contain aggregate, anonymized metrics only.

BABA uses the following third-party subprocessors. Each has its own security and privacy obligations as part of our vendor relationships:

• Supabase — database and authentication (EU-hosted, DPA in place)
• Amazon Web Services (AWS) — application hosting (eu-west-1, Ireland)
• Anthropic — AI response generation (API access; no identifiable data sent)
• Stripe — payment processing (we do not store card data; Stripe is PCI DSS Level 1 certified)
• Sentry — error monitoring (application error logs; no business data)

We are the data controller. Each subprocessor acts as a data processor under our instructions.

If you discover a security vulnerability in BABA, please report it to us directly before public disclosure. We take all reports seriously and respond within 2 business days.

security@meetbaba.com

Please include: the type of vulnerability, a description of the potential impact, and steps to reproduce. We will work with you to verify and address the issue before coordinated disclosure.